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Abstract. We propose variations of the class of hidden monomial 
cryptosystems in order to make it resistant to all known attacks. 
We use identities built upon a single bivariate polynomial equation 
| with coefficients in a finite field. Indeed, it can be replaced by a 

■ "small" ideal, as well. Throughout, we set up probabilistic encryp- 
f\j | tion protocols, too. The same ideas extend to digital signature 

■ algorithms, as well. Our schemes work as well on differential fields 
d ' of positive characteristic, and elsewhere. 



X 



1. Introduction 



This paper focuses on Hidden Monomial Cryptosystems, a class of 
■ public key cryptosystems first proposed by Imai and Matsumoto [?]. In 

this class, the public key is a set of polynomial nonlinear equations. The 
private key is the set of parameters that the user chooses to construct 
the equations. Before we discuss our variation, we review briefly a 
simplified version of the original cryptosystem, better described in [?] . 
r** . The characters met throughout this paper are: 

m ■ 

O ■ • Alice who wants to receive secure messages; 

£^ ! • Bob who wants to send her secure messages; 

• Eve, the eavesdropper. 

Alice takes two finite fields ¥ q < K, q a. power of 2, and Pi, /5 2 , • • • , (3 n 
a basis of K as an F 9 -vector space. Next she takes < h < q n such 
that h — q + 1, and gcd(h,q n — 1) = 1. Then she takes two generic 
vectors u = . . . , u n ) and v = (v\, . . . , v n ) upon F q , and puts 1 : 

(1) v = u"V 

The condition gcd(h,q n — 1) = 1 is equivalent to requiring that the 
map u i — > u' 1 on 1 is i<->i; its inverse is the map u i — > u h , where 
h! is the inverse multiplicative of h modulo q n — 1. 
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1 In this paper we reserve boldface to the elements of K thought as vectors 
upon F q in the fixed private basis. They are considered vectors or field elements, as 
convenient, without further notice. This shift in practice takes a Chinese Remainder 
Theorem. In order to avoid boring repetitions, Cryptosystem and Scheme are used 
like synonyms. 
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In addition, Alice chooses two secret affine transformations, i.e., two 
invertible matrices A = {A^} and B = {Bij} with entries in ¥ q , and 
two constant vectors c = (ci, . . . , c n ) and d = (di, . . . , d n ). 

Now she sets: 

(2) u = Ax + c and v = By + d. 

Recall that the operation of raising to the q k -th power in K is an 
Fq-linear transformation. Let = {p^ } be the matrix of this linear 
transformation in the basis /3 2 , • • • , /3 n , i.e.: 

n 

(3) 0f = T,P^ p« e¥ *> 

for 1 < i, k < n. Alice also writes all products of basis elements in 
terms of the basis, i.e.: 

n 

(4) Pipj = ^ mjjtpe, m ije £ ¥ q , 

i=i 

for each 1 < i,j < n. Now she expands the equation (1). So she 
obtains a system of equations, explicit in the v, and quadratic in the 
u. She uses now her affine relations (2) to replace the u, v by the x, y. 
So she obtains n equations, linear in the y, and of degree 2 in the x. 
Using linear algebra, she can get n explicit equations, one for each y 
as polynomials of degree 2 in the x. 

Alice makes these equations public. Bob to send her a message 
(xi, x 2 , . . . , x n ), substitutes it into the public equations. So he obtains 
a linear system of equations in the y. He solves it, and sends y = 
(yuV2,-- -,y n ) to Alice. 

To eavesdrop, Eve has to substitute (yi, y%, . . . ,y n ) into the pub- 
lic equations, and solve the nonlinear system of equations for the un- 
knowns x. 

When Alice receives y, she decrypts: 

2/1,2/2, • • • ,Vn 

v = By + d 

h' 

U = V 

x = A _1 (u - c). 

In Eurocrypt '88 [?], Imai and Matsumoto proposed a digital signa- 
ture algorithm for their cryptosystem. At Crypto '95, Jacques Patarin 
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[?] showed how to break this cryptosystem. He noticed that if one takes 
the equation v = u q +1 , raises both sides on the (q e — l)-th power, and 
multiplies both sides by uv, he gets the equation uv 9 = u 9 v that 
leads to equations in the x, y, linear in both sets of variables. Es- 
sentially the equations do not suffice to identify uniquely the message, 
but now even an exhaustive search will be feasible. The system was 
definitively insecure and breakable, but its ideas inspired a whole class 
of public key cryptosystems and digital signatures based on structural 
identities for finite field operations [?, ?, ?, ?, ?, ?]. 

Actually, the security of this class lies on the difficulty of the problem 
of solving systems of polynomial equations. This problem is hard iff 
the equations are randomly chosen. All manipulations aim to make 
equations seem like that. If they really were random, the problem is 
hard to Alice, too. 

Our paper is organized as follows. In the next section we develop 
our own, new cryptosystem. Alice builds her public key by manipu- 
lations as above, starting from a certain bivariate polynomial. All of 
Alice's manipulations are meant to hide from Eve this polynomial. It 
is the most important part of the private key. Its knowledge reduces 
decryption to the practically easy problem of solving a single univariate 
polynomial. 

In the third we discuss some security issues. There we explain that 
practically all bivariate nonlinear polynomials are good to us to give 
raise to a public key. This plentitude of choices is an important security 
parameter. 

In the fourth section we provide our cryptosystem with a digital 
signature algorithm. In the fifth one we provide one more encryption 
protocol, now a probabilistic one, in the sense that to the same cleartext 
correspond zero, one, or more cyphertexts. 

In the sixth one we discuss some more variations. Essentially, we 
replace the single bivariate polynomial by an ideal of a small size. 

In the seventh section we mention what Shannon [?] calls Uncondi- 
tionally Secure Cryptosystems. Actually, this class of cryptosystems is 
considered an exclusive domain of private key cryptography. This is 
due mostly to the unhappy state of art of public key cryptography. 

In the eighth one we extend our constructions to differential fields of 
positive characteristic. We hope they are the suitable environment for 
unconditionally secure public key cryptosystems. 



2. A New Cryptosystem 

2.1. Key Generation. Alice chooses two finite fields ¥ q < K, and a 
basis ■ ■ ■ , (3 n of K as an F g -vector space. Next she takes a generic 
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(for now) randomly chosen bivariate polynomial: 

(5) f(X,Y)=Y f a 4j X i Y* 

ij 

in K[X, Y], such that she is able to find all its roots in K with respect 
to X; V Y G K, if any For the range of i employed, this is nowadays 
considered a relatively easy problem. Further, f(X, Y) is subject to 
other few constraints, that we make clear at the opportune moment. 

In transforming cleartext into ciphertext message, Alice will work 
with two intermediate vectors, u = (ui, . . . , u n ) and v = (v±, . . . , v n ); 
u, v G K. She sets: 

(6) E a <, u ' v " °- 

For SLij 0, she sets somehow: 

(7) ^ = J> e^ ^ j = Y,d* ik > 

k=l k=l 

where 9ik,0jkni,rij,& N*. Here somehow means that (7) need not be 
the q-axy representation of i, j. Indeed, there is no reason for it to be. 
We allow to each i both opportunities: to be or not to be. Doing so 
we increase our choices, whence the random-looking of the public key. 
In any fashion, what we are dealing with, are nothing but identities. 
Next Alice substitutes the (7) to the exponents in (6), obtaining: 

(8) ^faexpiu^^exptv^tf*)) = 0; 

ij 

that is: 



k=l k=l 



o) EKn^n v9jfc )=°- 

ij k=l k=l 

Recall that the operation of raising to the q k -th power in K 
is an Fg-linear transformation. Let = {p^} be the matrix of 
this linear transformation in the basis Pi, (32, ■ ■ ■ , (3 n , i-e.: 

n 

for 1 < i, j < n. Alice also writes all products of basis elements in 
terms of the basis, i.e.: 



(11) PiPj = y^.mjjkPk, m ijk e¥, 

for 1 < i, j < n. 



k=l 
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Now she substitutes u = (ui, u 2 , ■ ■ ■ , u n ), a^- = (a^i, a^, ■ ■ ■ , a^n), 
v = (i>i,i>2, • • • ,v n ), and the identities (10), (11) to (9), and expands. 
So she obtains a system of n equations of degree t in the u, v, where: 

(12) t = max {rii + rij : a^- ^ 0}. 

Every term under E in (7) contributes by one to the degree in the u 
of the polynomials. 

Here we pause to give some constraints on the range of i, j in (6). 
The aim of this section is to generate a set of polynomials; linear in a 
set of variables, and nonlinear in another one. For that purpose, we 
relate (6) and (7): a^- ^ =>- {r^ > 1, rij = 1}. 

On the other side, the size of public key will be 0((2n) t+1 ). So, it 
grows polynomially with n, and exponentially with t. Therefore, we 
are interested to keep t rather modest, e.g., t = 2, 3 or so. So, we have 
to choose i, j in (5), (7) in order to keep t under a forefixed bound. 

Next, Alice chooses A = {A^}, B = {B i:j } e GL(¥ q ), c.dGl, and 
sets: 

(13) u = Ax + c, v = By + d, 

where x = (x\, xi, ■ ■ ■ , x n ), y = (yi, y2, . . . , y n ) are vectors of variables. 

Now she substitutes (13) to the equations in the u, v above, and 
expands. So she obtains a system of n equations of degree t in the x, 
y; linear in the y, and nonlinear in the x. 

After the affine transformation, in each equation appear terms of 
each degree, from zero to t; before not. This is its use; to shuffle terms 
coming from different monomials of (9). 

At this point, we are ready to define the cryptosystem. 

2.2. The Protocol. With the notations adopted above, we define the 
HPE Cryptosystem (Hidden Polynomial Equations) as the public 

key cryptosystem such that: 

• The public key is: 

— The set of the polynomial equations in the x, y as above; 

— The field F g ; 

— The alphabet: a set of elements of ¥ q . 

• The private key is: 

— The polynomial (5); 

— A, B, c, d as in (13); 

— The identities (6) to (11); 

— The field K. 

• Encryption: 

Bob separates the cleartext M by every n letters. If needed, 
he completes the last string with empty spaces. Next he takes 
an n-tuple x = (xi, x 2 , ■ ■ ■ , x n ) of M, substitutes it to the x in 
the public equations, solves with respect to the y, and sends 
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y = (yi, y 2 , ■ ■ ■ , y n ) to Alice. We assume here that the solutions 
exist, and postpone the case they do not. 
• Decryption: 

Alice substitutes v = B~ 1 (y — d) e IK > F q in (6), and finds 
all solutions within K. There is at least one. Indeed, if x is 
Bob's cleartext, u as in (13) is one. For each solution u, she 
solves: 

(14) x = A -1 (u-c), 

and represents all solutions in the basis fa, (3 2) ■ ■ ■ , (3 n . It takes a 
Chinese Remainder Theorem. With probability ~ 1, all results 
but one, Bob's (xi, x 2 , ■ ■ ■ , x n ), are gibberish, or even stretch 
out of the alphabet. 

2.3. Remarks. 

2.3.1. The rise of uncertain decryption is quite virtual. It equals the 
probability that another sensate combination of letters x satisfies (14) 
for any root u of (6) for Bob's y, besides the good one that always does. 
Afterwards, the undesired solution has to join well with the other parts 
of the decrypted message. 

2.3.2. The main suspended question is that of existence of solutions. 
Well, Bob succeeds to encrypt a certain message x iff Alice's equation 
(6) has solutions for u as in (13) for that x. Alice's polynomial is a 
random one. It is a well-known fact from algebra that the probability 
that a random polynomial of degree m with coefficients upon a field 
¥ q n has a root in it is about 1 — - ~ 63.2% [?, ?]. Now the remedy is 
probabilistic. Alice renders the alphabet public with letters being sets 
of F q . Bob writes down a plaintext and gives start to encryption. If 
he fails, he substitutes a letter of the cleartext with another one of the 
same set, and retries. 

After s trials, the probability he does not succeed is ~ p-; sufficiently 
small for the algorithm to be trusted to succeed. 

2.3.3. The other problem is that Alice may have to distinguish the 
right solution among a great number of them. Here we propose a first 
remedy. Her number of solution is bounded above by the degree in X 
of /. So, it is beter to her to keep this degree moderate. Later in this 
paper in other settings, there will be other remedies, too. 

There are no bounds on the degree in Y. It can be taken whatsoever 
huge. 

2.3.4. Solving univariate polynomial equations is used by Patarin, too 
[?, ?]. He takes a univariate polynomial: 

m = E +J2 a ^ + 
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and with manipulations like ours, both the same as Imai-Matsumoto 
[?], he gets his public key; a set of quadratic equations. He uses two 
affine transformations to shuffle the equations. We claim that the first 
one adds nothing to the security. 

The bigger the degree of / is, the more the public key resembles 
a randomly chosen set of quadratic equations. So, it is a security 
parameter. On the other side, it slows down decryption, principally by 
adding a lot of undesired solutions. To face that second problem, to 
the public key are added other, randomly chosen, equations. This is its 
Achilles' heel. It makes the public key overdefined, therefore subject 
to certain facilities to solve [?]. So, it weakens the trapdoor problem. 

We do not add equations to discard undesired solutions. So, we are 
not subject to overdefined stuff. If in certain variations we do add, we 
need to add less equations, however. We label wrong solutions those 
that after decrypted do not make sense, or stretch out of the alphabet. 

Afterall, all decrypted texts will howsoever be in a comprehensible 
language (to someone or some wedget). As n grows, it is less possible to 
have more than one meaningful solution. Besides, any monkey solution 
that appears to Alice, appears to Eve, too. Furthermore, Eve may have 
more meaningful solutions. If desired, other tests can be introduced for 
that purpose. There is no need, however. The solutions, the good one 
and the bad ones, are very few; no more than m. 

A big advantage of our settings is that we need a lower degree poly- 
nomial in X. So, we make the presence of undesired solutions virtual. 
Decryption is a pure linear algebra matter. 

What is most important, we have now a practically infinite range of 
choices of /. This is not Patarin's case. There the choices are bounded 
below because of being easy to attack cases, and above because of being 
impractical to legitimate users. 

The only few constraints we put on its monomials aim to: 

• keep public key equations linear in the y; 

• have less undesired solutions in decryption process; 

• keep the size of public key moderate; 

• keep all public key equations nonlinear in th x. 

We can take the degree in y unreasonably high. It gives no trouble 
to us. It suffices that all the powers of y that appear in the monomials 
of / are powers of q, so the public equations come linear with respect 
to the y. 

A new facility now is that we can take lower degree in x, as multiple 
linear attack does not anymore apply, hopingly. 

The constraint that all public key equations must be nonlinear in 
the x is the only non-negotiable one. Indeed, if Alice violates it, the 
trapdoor problem becomes fatally easy to Grobner techniques. 

Back to the degree in the y of the public key. Assume that the public 
key equations are not linear in the y. Once Bob substitutes the x in the 
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public equations, he now is not challenged to solve a nonlinear system 
of equations. He is only required to find one solution of it. This can 
be done within polynomial time with respect to the total degree of the 
system. Later we give settings to keep public key nonlinear of modest 
degree in the y. 

Each of such solutions (if any) is encryption to the same cleartext. 
So we have set up a probabilistic encryption protocol. To a single 
cleartext may correspond zero, one, or more ciphertexts. 

So, in conclusion, Alice is allowed to take for the construction of 
her public key any damned bivariate polynomial. Indeed, we later 
argue that / can quite well be a multivariate polynomial. 

We hope this plentitude of choices is a spoil-sport to Eve. 

3. Security Issues 

Apparently, the only things Eve knows, are the system of public 
equations, and the order of extension. By brute force, she has to take 
(2/1,2/2, Un), to substitute it in the public key equations, to solve 
in Z, or maybe Z[a], and to take the sensate solution. Almost surely, 
there is only one good solution among those that she finds. She has 
to find it among t n of them. However, the main difficulty to her is 
just solving the system. Supposedly, it will pass through the complete 
computation of Grobner basis. It is a well-known hard problem. The 
complexity of computations upon a field grows at most twice exponen- 
tially with respect to the number of variables, and in the average case, 
exponentially. 

So, it is better to take n huge. This diminishes the probability that 
Alice confuses decryption, however close to zero, and, what is most 
important, this renders Eve's task harder. 

Alice and Bob will have to solve sets of bigger systems of linear 
equations, and face Chinese Remainder Theorem for bigger n. 

There exist well-known facilities [?] to solve overdefined systems of 
equations. Unlike most of the rest, our public key is irrendundant, so 
it is not subject to such facilities. 

Now, by exhaustive search we mean that Eve substitutes the y in 
the public equations, and tries to solve it by substituting values to x. 

If we have d letters each of them being represented by a single element 
of F q , the complexity of an exhaustive search is 0(d n ). It is easy 
for Alice to render exhaustive search more cumbersome than Grobner 
attack. The last one seems to be the only choice to Eve. 

We did not find any Known Cleartext Attack to our cryptosystem. 

Eve may engineer cleartext*-^ ciphertext analyses, seeking for invari- 
ants or regularities there, helpful for an attack [?]. All the identities 
we use, mean totousle any such regularity, and to disguise from Eve 
any hint on i, j, and on the entries of A, B, c, d, and the a^; that she 
may use for such an attack. 
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The complexity of the trapdoor problem is 0(t n ), the size of public 
key 0(n t+1 ). This fully suggests the values of parameters, n = 100, 
t = 2,3,4 would be quite good choices. 

Obviously, infinitely many bivariate polynomials give raise to the 
same public key. Indeed, fixed the ground field, the degree of extension 
n, and the degree of public key equations, we have a finite number of 
public keys. On the other hand, there are infinitely many bivariate 
polynomials that can be used like private keys. 

On how does it happen, nothing is known. If ever found, any such 
regularity will only weaken the trapdoor problem. 

4. A Digital Signature Algorithm 

Assume that we are publicly given a set of hash functions that send 
cleartexts to strings of integers of fixed length For the only purpose 
of signing messages for Alice, Bob builds a cryptosystem as above with 
q B prime, and \K B : ¥ qg ] = n B . He to sign a message M: 

• calculates H(M) = (yx, y 2 , . . . , y nB ) = y G K B ] 

• finds one solution (if any; otherwise, see section 2.3.2.) u of 
/b(u) = y in K B . 

• calculates x = .B _1 (u — c B ); 

• appends x = (xx, x 2 , ■ ■ ■ , x ng ) to M, encrypts, and sends it to 
Alice. ( mature to M. 

To authenticate, Alice first decrypts, then she: 

• calculates H(M) = {y u y 2 , ■ ■ ■ , y» B ); 

• substitutes (xi,x 2 , . . . , x nB ), (yi,y 2 , . . . , y nB ) to Bob's public 
equations; 

• so she gets an n^-tuple of integers. If they all reduce to zero 
modulo q B , she accepts the message; otherwise she knows that 
Eve has been causing trouble. 

If Eve tries to impersonate Bob and send to Alice her own mes- 
sage with hash value y = (y±,y 2 , . . . ,y nB ), then to find a signature 
(xx, x 2 , . . . , x ng ), she may try to find one solution of Bob's system of 
equations for y. We trust on the hardness of this problem for the 
security of authentication. 

5. A Probabilistic Encryption Protocol 

With the ideas described above, we are going to set up now a proba- 
bilistic protocol such that only the legitimate users can send messages 
to which-another. Mean, the message is meaningful iff there are no 
intruders. Its being meaningful is the signature itself. 

Here is the shortest possible description. Let Fa and F B be Alice's 
and Bob's public keys functions respectively, where tla = n B . To send 
a message x to Alice, Bob sends her a random (this randomness is the 
probabilistic pattern) element of Fa(F^ (x)) , that she can decrypt by 
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calculating F B (FX 1 (F A (Fg 1 (x)))). So if F A (Fg 1 (x)) ^ 0. Otherwise, 
the approach is probabilistic, as in the previous section. 

Here is the extended description. Each (English, e.g.) letter (or 
some of them, only) is represented by a set of few (two, e.g.) elements 
of the field, or strings of them. For ease of explanation, Bob's public 
equations are linear in the x, and of higher degree in the z. 

Bob writes down the cleartext x and finds one solution of: 

(15) x = b r z r + b r _iz r-1 H h b . 

If there are no solutions, Bob changes a representant of a letter, and 
retries. Probability issues are discussed in the previous section. 
Now Bob takes the solution z of (15), and applies: 

(16) y' = B- x (z- CB ). 

Next he takes y', substitutes in Alice's public equations. So he ob- 
tains a tuple y, that he sends to Alice. This is the ciphertext. 

Each of other solutions of (15) give raise to other encryptions of the 
same cleartext. 

Alice now to decrypt, solves her equation for y within her field K. 
There is at least one solution. Next she applies her inverse affine trans- 
formation to all (few) solutions, and substitutes them all on Bob's pub- 
lic equations. Of that procedure all, Alice now discards all meaningless 
solutions, and takes the meaningful one. 

What is the trapdoor problem now? Well, on authentication matter, 
nothing new. Eve has the same chances to forge here that she had 
before. Recall that this kin of signatures is already best with respect 
to the other ones. 

On security, instead, there is a very good improvement. By brute 
force, Eve has to take the ciphertext, substitute on Alice's public key, 
find all solutions, and substitute them all on Bob's public key; then 
take the sensate ones. This is worse than exhaustive search of previous 
cryptosystems. 

Now, what does here really mean exhaustive searchl Eve now has 
to search through all the elements of the common public ground field, 
not just through all the alphabet. So, opting for this protocol, we can 
put a lot of constraints on alphabet, in order to discard far easier the 
undesired solutions, without rendering the public key overdefined. 

She sets up such n-tuples, checks whether they are solutions of Alice's 
public key for Bob's ciphertext y substituted to the variables y. If yes, 
she substitutes to Bob's public key, and checks whether does it make 
sense. 

What can linear multiple attack or quadratic attack [?] do in these 
new settings? 

Apart all, we save space and calculi. We do not need any more the 
calculi and space of signature. 

This protocol can be used for multiple encryption, too. 
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Let us suppose that the letters are strings of a fixed length. Well, 
here Alice can impose that not all strings are letters. So, in decryption 
she discards a priori the solutions that contain non-letters. Doing so, 
she actually has a single good solution of her polynomial, and saves 
herself the effort of appealing to other tricks. In all the other schemes 
throughout, such a trick fatally weakens the exhaustive search. 

6. Hidden Ideal Equations 

Instead of a single bivariate polynomial, Alice may choose to employ 
an ideal of a very modest size. She separates the variables she employs 
into two sets, {Aj}, {Yj}; one for encryption, one for decryption. She 
may decide to leave one of the equations employed of higher degree 
in the {Yj} after manipulations, so she gives raise to a probabilistic 
encryption protocol. Alice's parameters are: 

• n = [K : F,]; 

• the number s±, s 2 of variables {Xi}, {Yj}, respectively; 

• the number r of private equations. 

So, the number of public key equations is n ■ r. The number of the 
variables Xij is n ■ si, and that of the is n ■ S2- 

Alice's number of variables, the {Xi}, is insignificant so far, so she 
is supposed to be able to appeal to Grobner stuff in order to solve her 
system of equations within the field of coefficients for Bob's {Yj}. 

What is most important here and throughout, if Bob succeeds to 
encrypt, Alice does always succeed to decrypt. 

For ease of treatment, assume now that Alice does not apply affine 
transformations to her variables. Bob fails encryption for a certain 
cleartext (X±, . . . X S1 ) iff Alice's private ideal has no solutions in the Y 
for such an {X\, . . . X S1 ). Alice's private ideal is a random one. If she 
takes r < S2, the probability that it has no solutions is ~ 0, and pa 1 
for r > s 2 . So, it suffices that Alice takes r < s 2 . The critical cases 
that may supervene are faced simply changing alphabet. 

With slight changes, this reasoning holds in the case that Alice ap- 
plies affine transformations, too. 

The real problem is indeed that the solutions to Alice may be too 
many; and in any case finitely many, as the base field is finite. The 
best remedy to that is that Alice takes r — si. So, the ideal that she 
obtains after substitution of Bob's ciphertext is zero dimensional (quite 
easy to cause it happen), and the number of solutions is bounded above 
by the total degree of the system. So, she can contain the number of 
solutions by taking the total degree in the {Xi} modest, and however 
each of them nonlinear. 

Alice can take all equations of very low degree in the X, and then 
transform that basis of the ideal they generate to another one of very 
high degrees in the X. So she has a low Bezout number of the ideal, 
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and higher degrees in the X, and transformations as above can take 
place. If she takes the first basis linear, the number of solutions of her 
equations reduce to one: Bob's cleartext. 

As soon as r > si, the public key becomes overdefined. 

Alice applies a permutation to the equations and a renumeration to 
the variables before publishing her key, so Eve does not know how are 
they related. She may apply affine transformations, or may not, or 
may apply to only some of the Xi, Yj] at her discretion. 

If Si < s 2 , the size of the ciphertext is bigger than that of cleartext, 
and nothing else wrong. By this case, encryption is practically always 
probabilistic. Indeed, even when the equations are linear with respect 
to the yku since there are more variables than equations, the solutions 
exist, and are not unique. 

Actually, Alice can take s 2 rather huge. She may choose to manipu- 
late some of the Yj within a subfield of K, rather than within K. Doing 
so, she allows herself a big s 2 , and a contained size of the ciphertext. 
The number of the variables yu now is no more n ■ s 2 . 

6.1. Now the size of the public key is 0(si(n) t+1 ), and the complexity 
of the trapdoor problem is 0(t n ' Sl ). 

It is true that throughout the size of public key grows polynomially 
with n, but before n becomes interesting, the public key is already 
quite cumbersome. So, opting for the choices of this section we have 
reasonable security with much smaller values of n. n = 20, or so, 
actually are quite good. We are allowed some more values of t, too. 

6.2. There exist classes of ideals called with doubly exponential ideal 
membership property [?]. These are the ideals for which the calculus of a 
Grobner basis cannot be done within exponential time on the number 
of variables, i.e., it can be done within doubly exponential time on 
the number of variables. It is very interesting to know whether can 
we employ them in some fashion in this class of cryptosystems. In any 
fashion, this is the theoretical limit for employing solving of polynomial 
systems of equations in public key cryptography. 

7. Some Considerations 

The idea of public key cryptography was first proposed by Diffie and 
Hellman [?]. Since then, it has seen several vicissitudes [?]. 

A trapdoor function is a map from cleartext units to ciphertext units 
that can be feasibly computed by anyone having the public key, but 
whose inverse function cannot be computed without knowledge of the 
private key: 

• either because (at present, publicly) there is no theory to do it; 

• or the theory exists, but the amount of calculations is deterring. 
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Cryptosystems with trapdoor problems of the first kin are what 
Shannon [?] calls Unconditionally Secure Cryptosystems. 

Actually, the aim is to make trapdoor problems be equivalent to time- 
honoured hard mathematical problems. However, being of a problem 
hard or undecidable implies nothing about the security of the cryp- 
tosystem [?, ?]. Recall that of all schemes ever invented, only two of 
them, RSA [?] and ECDL [?], are going to be broken (or, at least, 
are going to become impractical) by solving the hard problems they lie 
upon. The rest of them have been broken with theories of no use to 
solve their hard problem. So, once more, it may happen to be proved 
that solving systems of differential&integral equations is undecidable, 
nevertheless several cryptosystems built upon them may be easy to 
break rather than secure. 

The author is very fond of the idea of public key cryptography, and 
believes howsoever in new developments that will make it fully suffice 
for all purposes. 

Actually, one tendency is that of investigating poor structures, mean, 
structures with less operations, like groups, semigroups with cryptosys- 
tems upon the word problem [?, ?, ?]. Yamamura's paper [?] can be 
considered pioneering on secure schemes. Unfortunately, its scheme is 
still uneffective. 

William Sit and the author are investigating cryptosystems upon 
other algebraic structures. We are investigating among other things 
whether is it possible to build effective secure schemes upon differential 
fields of positive characteristic. We hope that cryptography will arouse 
new interests on differential and universal algebra, too, as it did in 
number theory and arithmetic geometry. One reason of optimism is 
that in universal algebra one can go on further with new structures and 
hard or undecidable problems forever. Until now we have appealed to 
only the unary and binary arithmetic operations. 

8. Generalizations on Differential Fields 

Differential algebra is born principally due to the efforts of Ritt [?] 
to handle differential equations by means of algebra. Actually, a dif- 
ferential field is a field with a set of unary operations ' called deriva- 
tives that replace an element of the field with another one such that 
(a + b)' = a' + b' and (aft)' = ah' + a'b. 

Good references in the topic are [?, ?, ?, ?, ?]. Kaplansky's book is 
probably the best introduction in the topic. 

It is possible 2 to generalize the schemes given throughout using dif- 
ferential polynomials instead of (5). Take K to be a finite differential 



Most of considerations given in this section are suggestions of professor Sit 
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field extension of a differential field F of positive characteristic 3 . Any 
such K is defined by a system of linear homogeneous differential equa- 
tions, and there are structural constants defining the operations for the 
derivations (one matrix for each derivation), as well for multiplication. 

One can now replace (5) with a differential polynomial. The scheme 
works verbatim. One can take (5) to be of higher order and degree, 
that is ok too, just like the algebraic case. Euler, Clairaut, or any of 
other well-studied classes of equations, or their compositions; each of 
them fully suffice. 

The techniques described above for polynomials, if applied to differ- 
ential polynomials, will definitely make it much harder to attack any 
protocol developed. Any affine transformation (by this is meant a lin- 
ear combination of the differential indeterminates with not-necessarily 
constant coefficients, and this linear combination is then substituted 
differentially in place of the differential indeterminates) will not only 
even out the degrees, but also the orders of the various partials, and 
making the resulting differential polynomial very dense. 

However, there is one thing to caution about: any time one specifies 
these structural matrices, they have to satisfy compatibility equations. 
In the algebraic case, it is the relations between P k = {pi/ h ^} in (10) 
and Mg = {rriiji} in (11). The P k are simply determined uniquely by 
Mi, given the choices implicitely defined in (11). 

It is very interesting to know in the algebraic case whether the system 
of equations Alice obtains is invariant under a change of basis, all other 
settings being equal. There is probably some group of matrices in 
GL(n, q) that can do that. Such a knowledge may be used to build 
attacks to all schemes of HFE class. 

In the differential case there is a similar action called Loewy action, 
or the gauge transformation. For ordinary differential equations, two 
matrices A, B are Loewy similar if there is an invertible matrix K 
such that A = 5K ■ K~ x + KBK~ X . Using this action, one can classify 
the different differential vector space structures of a finite dimensional 
vector space. There is also a cyclic vector algorithm to find a special 
basis, so that the differential linear system defining the vector space 
becomes equivalent to a single linear ODE. 

If no other problems arise for the differential algebraic schemes, there 
is however one caution more for them to be unconditionally secure. We 
have to avoid the exhaustive search. For that, Alice has to publish 
a finite alphabet where each letter is represented by an infinite set, 
disjoint sets for different letters. This is possible in differential fields, 
as they are infinite. Alice renders the sets public parametrically, as 
differential algebraic functions of elements of the base differential field, 
and parameters, e.g., in Z. Bob chooses a letter, gives random values 



In zero characteristic numerical analysis tools seriously affect security, or at 
least constrain us to more careful choices. We shall not dwell on this topic here. 
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to parameters, obtains one representant of the letter, and proceeds 
as above. In any case, if /x is the order of public equations, any two 
elements H, 6 G F such that (S — 0)M = must represent the same 
letter, if any 

The main care for Alice is that the public key equations must not 
fall into tractable classes by well-known means, such as linear algebra. 

In the algebraic case such constructions do not make sense. Eve can 
anyway appeal to Grobner attack. Besides, in any fashion such data 
enable her to guess q. 

The size of the public key now is actually 0(n t0+1 ), where o is the 
order of public key equations. Quite explosive. However, a first tool 
to contain it is the low characteristic of the field. So, we see a lot 
of monomials reduce to zero. The best consolation is that we do not 
have to go far away with parameters. The trapdoor problem is sim- 
ply undecidable. n = 20 would fully suffice. Such a value is needed 
more in order to avoid uncertain decryption, however less probable in 
differential fields, as the range of solutions is infinite, than for growing 
security. Besides, if there was found some attack for the HDPE (Hid- 
den Differential Polynomial Equations) scheme, it will work better with 
HPE. As of now, HDPE trapdoor problem seems undecidable, and 
the scheme effective. The author is working to come up with concrete 
examples of this kind of cryptosystems. Unfortunately, everything in 
the topic is still handmade, and therefore rather time-consuming. 
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